Recently, we have seen a rapid evolution of "blended" mobile malware. Much of this activity has been seen on the Symbian Smartphone platform. For example, "Skulls" was the second trojan to infect Symbian Series 60 smart phones (the first was Mosquito). When launched, the application claims to be an "Extended Theme Manager by Tee-222." However, it then disables all other applications on the phone and replaces their icons with a skull and crossbones. Worse, it was more recently merged with Caribe to form the first "crossover" malware for Smartphones.
Skulls and Caribe also merged to form Metal Gear, a trojan that masquerades as the game with the same name. Metal Gear uses Skulls to deactivate the devices’ antivirus. Thus, it was the first anti-AV malware for Symbian phones. The malware also drops SEXXXY.sis to the device, an installer that adds code to disable the handset menu button. The Trojan then uses Caribe to transmit itself to new devices
Another example of blending is the Gavno.a Trojan, which is spread via a file called patch.sis (it masquerades as phone patch). Gavno uses a malformed file to crash an internal Symbian process, thus disabling the phone. The effect is to disable all handset buttons and to completely prevent the user from making calls. It may also cause a continual rebooting loop. It is only 2kb in size, and it has already seen variants merged with Caribe to spread to other phones
Other examples of viral evolution include the following:
- Dampig trojan: Notable in that it corrupts the system uninstallation settings, making it more difficult to remove
- Mabir virus: Similar to Cabir, but instead of Bluetooth it uses SMS to spread
- Commwarrior: also tries to disable the onboard antivirus software
- Frontal virus: causes a total system crash of the phone until it is removed
Lastly, a new Symbian Trojan called Doomboot-A that now loads a Commwarrior variant when it infects Smartphones. Doomboot-A destroys the boot process so that the phone is not useable.
Cross-platform mobile malware
A newer development, and one that may be the most troubling, is the new breed of "cross-platform" mobile infectors. For example, the first mobile phone virus capable of infecting a PC was the Cardtrp worm. Cardtrp infects handsets running the Symbian 60 operating system and spreads via Bluetooth and MMS. If the phone has a memory card, it will drop the Win32 PC virus known as Wukill onto the card.
Conversely, the most recent type of malware does the opposite: it now cross-infects mobile devices from a PC. The first example of such malware, and the subject of this article, is a Trojan dubbed "crossover," which spreads from a Win32 desktop machine to a Windows Mobile Pocket PC handheld.
When executed from Win32, the Trojan checks what version the current OS is; if it is not Windows CE or Windows Mobile, the virus makes a copy of itself and puts a startup command in the registry key of local-machine-current-version-run. The trojan then quietly waits for an ActiveSync connection to be detected; it can wait indefinitely. When an ActiveSync connection is detected, the trojan automatically copies itself to the handheld device and remotely executes the trojan. The handheld device is now infected. The Trojan will then begin to delete documents on the handheld.